Separ Information Stealing Trojan

This trojan was first observed in late 2017, but has recently been updated. Separ is an information stealing trojan that uses several legitimate applications to obtain user and system data.

Separ is distributed via spam campaigns as a self-extracting EXE file disguised as a PDF document. The emails allude to pricing quotes, shipments and equipment specs in order to trick business recipients into opening these attachments. 

When opened, a VBScript script is initiated to execute a batch script. This first batch script will create multiple new directories and copy several files to them before executing a second batch script.

This second batch script will then open an empty JPG file to hide command windows before altering Windows Firewall settings. It will then use the legitimate Email and Browser Password Dump tools created by SecurityXploded to extract mail and browser account credentials. Network information is also collected using the ipconfig utility. This information is then uploaded over FTP to a well-known file hosting platform using a version of the commercial NcFTP client.

Indicators of Compromise

IP Addresses

  • 198.23.57[.]8:21

URLs

  • ftp.freehostia[.]com

Filenames

  • adobel.vbs – Initial VBScript file
  • adob01.bat – First batch file
  • adob02.bat – Second batch file
  • adobepdf.exe – Browser password extract
  • adobepdf2.exe – Email password extract

SHA256 File Hashes

  • 7c9f50fb47d205fea9422af09a1218342a8b0cfbf4435d9cd808fb530af4b23b
  • 01ddf47d2013e56022e58433081aa11ae8871e1ac698e1dafdb4242f08b4281b
  • 00c5014631aa95c6ca453ec2453aed3fad5bca04d4f08ec6f3d259f16d090ad8
  • 5139eba0915b425491d4009c44b3164b6e99f83ae6c8a18da9e33d2297d31ce0
  • 93fba1c4cdcc400cbdf449db03f57c188efea8f5e05c682e8701c46d14054d66
  • 75e5c5f30034d28efa8f35df16018474c9ec32a46b8c28edde429d649dac9035
  • 8f654cee2a1b5b907102fb23bf894bc42d8736a30caa08a7618f17bcad8f6e8e
  • 1595db70ae30253676f0f1e205509226a752960b25fb92fc4d020952afdb73d4
  • c225c488312f5cbd876072215aaeca66eda206448f90f35ca59d9c9f825b3528
  • 9dca69ef52e20f766ce0dd1338484626a529cea6989703203975deff3cda380b
  • fc1b755217ee2d12b05b5211602a83dcc0ad0ce2f1271b904e1a125a38927780
  • 57ba3dc168281294422f27dc30afe5c09acbeda502a492cf405ccf474244da9c
  • d3eca6fa868f31550ea7255bfebc76cb24bded8b4fac4422ee51a8f00e57d9d1
  • 8c6dc16cb7f420399628346d4bd3b1ea10b8e32300b2cdf849f9f160e2afc5b4
  • 33b237733b583272993c01eff9fcac6b223323bb11f3e4611ce0a69f98a98dd2
  • 2f21b1ff10c823e9d2a425b48377cef195ccd93ea90ab6cc201e913c38c20e4e
  • 4db932edcda31e6e14e271fc8759d34bcd83eaeae77c0da910bc9661f9f20d71
  • ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: